Facebook has in excess
of 640 million registered users with over 7 billion pieces of content shared
weekly. Twitter has in excess
of 299 million registered users with over 95 million tweets per day. LinkedIn has in excess
of 100 million registered users.
The
risks associated with these popular social media platforms are well
documented. Fortunately, businesses worldwide are quickly evolving their
understanding of the risks of what information should and should not be
communicated or shared by employees via the various social media platforms.
However, these same businesses may be at an even greater risk of exposing
proprietary and confidential information by their employees through the use of
public cloud storage platforms such as Dropbox.
At
the Carmel Valley eDiscovery Retreat (CVeDR) held July 22-25, 2012 in Monterey,
California, I had the pleasure of moderating several panel discussions on cloud
computing featuring industry experts in eDiscovery, Internet security and the
legal risks associated with storing data in a public cloud. The consensus
from the panels was that storing any data in the public cloud poised both a
security and a legal risk.
The
recommendations from these experts regarding what data businesses should put in
the public cloud varied from "don't put any data in the public cloud"
to "don't put any proprietary or confidential data in the public cloud."
However, regardless of what the experts say, the operational efficiencies and
financial incentives of cloud computing are just too great for businesses to
ignore. But, that doesn't mean that business owners should ignore the
facts.
The Experts are Cautious
The
consensus among the CVeDR cloud panel experts was that there was probably more
data stored in Dropbox than most businesses realized and that it was a
potential source of risk. Several of the lawyers on the CVeDR panels indicated
that a business could potentially lose its claims to properly protecting trade
secrets and other proprietary information by merely storing data in storage
technologies like Dropbox. The security experts on the CVeDR panel
contended that there were still some very worrisome security issues with
storage technologies like Dropbox.
What
DropBox Says
According
to its website, Dropbox contends that they use modern encryption methods to
both transfer and store your data such as Secure Sockets Layer (SSL) and
AES-256 bit encryption. In addition Dropbox contends that the Dropbox
website and client software have been hardened against attacks from hackers,
that public folders are not browsable or searchable and public files are only
viewable by people who have a link to the file(s).
What Can Happen
However, Dropbox
actually uses Amazon's Simple Storage Service (S3) for storage and
therefore they really don't even have direct control over the security of the
files that you store. The potential problems with Cloud Service
Providers (CSPs) such as Aamazon S3 was very evident this summer as a severe
storm that rumbled across the Eastern U.S, leaving nine people dead and
millions without power, also disrupted an Amazon Web Services data center,
affecting service for social media sites like Pinterest, Instagram and Netflix,
which host their services at Amazon's data centers.
In another alarming
security development for AWS, on Monday August 6, 2012, Amazon changed its
customer privacy policies closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday. As posted on the
Wired.com website in an article by Nathan Olivarez-Giles titled, "Amazon Quietly Closes Security Hole
After Journalist’s Devastating Hack", previously, Amazon
allowed people to call in and change the email address associated with an
Amazon account or add a credit card number to an Amazon account as long as the caller could
identify him or herself by name, email address and mailing address — three bits
of personal information that are easily found online.
Nathan Olivarez-Giles reports in this article that on Tuesday August 7, 2012, that Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”
The security gap was used by hackers, one of whom identified himself as a 19-year-old going by the name “Phobia,” to gain access to Honan’s Amazon account on Friday. Once Phobia and another hacker gained access to Honan’s Amazon account, they were able to view the last four digits of a credit card linked to the account.
The hackers then used those four digits to trick Apple customer service into thinking it was dealing with Honan. Apple customer service then gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account.
We discovered Amazon’s policy change on Tuesday after we failed to replicate the exploits used on Honan this weekend. Amazon declined comment on the security hole on Monday, and has since failed to return repeated phone calls from Wired about the vulnerability.
In
regards to these cloud storage vendors being able to keep data secure. Dropbox
confirmed Tuesday, July 31, 2012 that its users had been experiencing a spam
onslaught, and reported that the issue was tracked to employee. "Our
investigation found that usernames and passwords recently stolen from other
websites were used to sign in to a small number of Dropbox accounts. We've
contacted these users and have helped them protect their accounts,"
said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.
However,
many of the spam attacks were ultimately traced to a password-reuse
problem that existed within Dropbox itself. "A stolen
password was also used to access an employee Dropbox account containing a
project document with user email addresses," said Agarwal. "We
believe this improper access is what led to the spam. We're sorry about this,
and have put additional controls in place to help make sure it doesn't happen
again." Those controls will include a page that lets users review the
login history related to their account, mechanisms for identifying suspicious
activity, as well as two-factor authentication.
There
is no doubt that weather related issues have knocked out corporate data centers
and passwords have been compromised behind the firewalls of even the largest
corporations in the world. However, when this happens, the
corporate stakeholders at least have someone to hold accountable. When
these types of things happen with a cloud storage provider such as DropBox, the
DropBox Service Level Agreement (SLA) protects
DropBox from any direct responsibility or damages.
Recommendation
Moving
data to the public cloud is already happening at an accelerating rate.
And, the operational efficiencies and financial benefits are just too great for
this trend to slow down. Therefore, even though it is a fair question to
ask if it is safe to move your data to a public cloud, a more realistic
question might be, "What do I need to know and what do I need to do to
ensure that my data will be safe once I move it to the public cloud?"
With
input and guidance from the CVeDR cloud panel experts, my recommendations are
as follows:
1.
Don't move any
business data to the public cloud that is confidential, proprietary or is the
essence of valuable corporate Intellectual Property (IP).
2.
Have your legal
department read the providers Service Level Agreement (SLA).
3.
Develop and/or follow
corporate data retention policies in regards to the data you store in the
public cloud.
4.
Develop and/or follow
corporate password and other security policies in regards to the data you store
in the public cloud.
5.
Talk to the cloud storage
provider about eDiscovery and develop a joint plan for how it is going to be
accomplished and how much it is going to cost.
Storing data in the public
cloud is inexpensive and very efficient. Just be aware that there are
risks that need to be mitigated and addressed.
No comments:
Post a Comment